Send same redirect_uri as /authorize to /token (#341)

* Send same redirect_uri as /authorize to /token * Added a test for sending redirect_uri in a popup
auth0 · Jan 28, 2020 · 4e8663d · 4e8663d
1 parent 6192758
commit 4e8663d
Show file tree

Hide file tree

Showing 5 changed files with 53 additions and 10 deletions.
diff --git a/__tests__/index.test.ts b/__tests__/index.test.ts
@@ -260,10 +260,43 @@ describe('Auth0', () => {
         baseUrl: 'https://test.auth0.com',
         client_id: TEST_CLIENT_ID,
         code: TEST_CODE,
-        code_verifier: TEST_RANDOM_STRING
+        code_verifier: TEST_RANDOM_STRING,
+        redirect_uri: 'http://localhost'
       });
     });
-    it('calls oauth/token with correct params', async () => {
+
+    it('calls oauth/token with the same custom redirect_uri as /authorize', async () => {
+      const redirect_uri = 'http://another.uri';
+
+      const { auth0, utils } = await setup({
+        redirect_uri
+      });
+
+      await auth0.loginWithPopup();
+
+      expect(utils.createQueryParams).toHaveBeenCalledWith({
+        client_id: TEST_CLIENT_ID,
+        scope: TEST_SCOPES,
+        response_type: TEST_CODE,
+        response_mode: 'web_message',
+        state: TEST_ENCODED_STATE,
+        nonce: TEST_RANDOM_STRING,
+        redirect_uri,
+        code_challenge: TEST_BASE64_ENCODED_STRING,
+        code_challenge_method: 'S256'
+      });
+
+      expect(utils.oauthToken).toHaveBeenCalledWith({
+        audience: undefined,
+        baseUrl: 'https://test.auth0.com',
+        client_id: TEST_CLIENT_ID,
+        code: TEST_CODE,
+        code_verifier: TEST_RANDOM_STRING,
+        redirect_uri
+      });
+    });
+
+    it('calls oauth/token with correct params and a different audience', async () => {
       const { auth0, utils } = await setup();
 
       await auth0.loginWithPopup({ audience: 'test-audience' });
@@ -272,7 +305,8 @@ describe('Auth0', () => {
         baseUrl: 'https://test.auth0.com',
         client_id: TEST_CLIENT_ID,
         code: TEST_CODE,
-        code_verifier: TEST_RANDOM_STRING
+        code_verifier: TEST_RANDOM_STRING,
+        redirect_uri: 'http://localhost'
       });
     });
     it('calls `tokenVerifier.verify` with the `id_token` from in the oauth/token response', async () => {
@@ -514,7 +548,8 @@ describe('Auth0', () => {
           audience: 'default',
           code_verifier: TEST_RANDOM_STRING,
           nonce: TEST_RANDOM_STRING,
-          scope: TEST_SCOPES
+          scope: TEST_SCOPES,
+          redirect_uri: 'https://redirect.uri'
         }
       );
     });
@@ -1267,7 +1302,8 @@ describe('Auth0', () => {
           baseUrl: 'https://test.auth0.com',
           client_id: TEST_CLIENT_ID,
           code: TEST_CODE,
-          code_verifier: TEST_RANDOM_STRING
+          code_verifier: TEST_RANDOM_STRING,
+          redirect_uri: 'http://localhost'
         });
       });
       it('calls `tokenVerifier.verify` with the `id_token` from in the oauth/token response', async () => {

diff --git a/__tests__/transaction-manager.test.ts b/__tests__/transaction-manager.test.ts
@@ -8,7 +8,8 @@ const transaction = {
   code_verifier: 'code_verifierIn',
   appState: 'appStateIn',
   scope: 'scopeIn',
-  audience: ' audienceIn'
+  audience: ' audienceIn',
+  redirect_uri: 'http://localhost'
 };
 
 jest.mock('../src/storage');

diff --git a/src/Auth0Client.ts b/src/Auth0Client.ts
@@ -134,7 +134,8 @@ export default class Auth0Client {
       code_verifier,
       appState,
       scope: params.scope,
-      audience: params.audience || 'default'
+      audience: params.audience || 'default',
+      redirect_uri: params.redirect_uri
     });
     return url + fragment;
   }
@@ -186,7 +187,8 @@ export default class Auth0Client {
       audience: options.audience || this.options.audience,
       client_id: this.options.client_id,
       code_verifier,
-      code: codeResult.code
+      code: codeResult.code,
+      redirect_uri: params.redirect_uri
     });
     const decodedToken = this._verifyIdToken(authResult.id_token, nonceIn);
     const cacheEntry = {
@@ -289,7 +291,8 @@ export default class Auth0Client {
       audience: this.options.audience,
       client_id: this.options.client_id,
       code_verifier: transaction.code_verifier,
-      code
+      code,
+      redirect_uri: transaction.redirect_uri
     });
 
     const decodedToken = this._verifyIdToken(
@@ -389,7 +392,8 @@ export default class Auth0Client {
         audience: options.audience || this.options.audience,
         client_id: this.options.client_id,
         code_verifier,
-        code: codeResult.code
+        code: codeResult.code,
+        redirect_uri: params.redirect_uri
       });
 
       const decodedToken = this._verifyIdToken(authResult.id_token, nonceIn);

diff --git a/src/global.ts b/src/global.ts
@@ -234,6 +234,7 @@ interface OAuthTokenOptions {
   audience?: string;
   code_verifier: string;
   code: string;
+  redirect_uri: string;
 }
 
 /**

diff --git a/src/transaction-manager.ts b/src/transaction-manager.ts
@@ -9,6 +9,7 @@ interface Transaction {
   audience: string;
   appState?: any;
   code_verifier: string;
+  redirect_uri: string;
 }
 interface Transactions {
   [key: string]: Transaction;